A UK-based cyberlaw blog by Lilian Edwards. Specialising in online privacy and security law, cybercrime, online intermediary law (including eBay and Google law), e-commerce, digital property, filesharing and whatever captures my eye:-)
Based at The Law School of Strathclyde University . From January 2011, I will be Professor of E-Governance at Strathclyde University, and my email address will be lilian.edwards@strath.ac.uk .

Thursday, June 18, 2009

Here's a brief and last reminder about GikII 2009, (as some ofyou well know) the coolest IT law conference on the block, this yeartransmigrated from UK to Amsterdam, by kind generosity of the IViR!

Submission of abstracts deadline is 1 July, tho this can probably slip a few days:-) We are expecting to be over subscribed (honest) so act fast! Acceptance of abstracts wil be announced by August 1. Submissions to vanhoboken@ivir.nl .

As ever, the order of the day is blue skies papers, law/tech/popculture/interdisciplinary, numbers capped at 40, preference for space to thosegiving papers, especially ones about the Singularity :) no conference fee for speakers or attendees, ppts that could past muster in the next Banksy show, passing mentions of law, and all the LOLcats you can eat:-)

According to this article in the FT, the Art 29 Working party on Data Protection has produced an unpublished opinion which, if I read it correctly, seems to suggest that they way FB shares data with, and encourages its users to share data with, unknown and unpoliced third party "apps", needs stricter DP regulation.

According to FT,

"regulators say tighter rules are needed to protect personal data given to these third-party developers. In particular, they believe developers should be subject to tough European Union privacy and data protection rules, even when the companies concerned are located far from Europe.

At the same time, they argue that many corporate marketers who have turned to new forms of social media as a way to reach consumers should also be subjected to stiffer regulations."

I'm not finding this opinion on the usual Art 29 page: if anyone has it in advance, I would very much like to see it.

Along with various recent reports suggesting that privacy defaults on social networking sites need tighter attention, for everyone not just children, it does seem the privacy and security risks of SNSs are finally getting the serious attention they deserve. (Is it just a coincidence btw that this happens as the Iranian situation shows more clearly than ever the power wielded by social networks these days??)

Wednesday, June 17, 2009

Against that backdrop, it is hardly surprising that the report is not wildly imaginative. It deals with structure and delivery of content, rather than the content itself. It worries about provision of local news, but (with the exception of a potentially interesting proposal on a role for new local news consortiums) decides that the main answer lies with regional TV news. To be sure, Mr Bradshaw is taking a risk in imposing a £6 annual poll tax on all fixed-line phone users to pay for extending the broadband pipe network - but it is the wrong kind of risk. Some will question the fairness of Aunt Agnes in Liverpool paying higher phone bills to enable her teenage nephew in the Scottish Highlands to download games. But there is a bigger problem with this proposal: the public is subsidising private companies to gain greater market access - with no public returns. When the government pumped money into the banks, it took a big chunk of equity for the taxpayer; here it is pumping money into the broadband network and taking nothing in return. There will be no equity stakes (which would at least have been fair), nor is it easy to regulate what goes down those broadband pipes. This amounts to an unconditional transfer of resources from the very poorest to the big technology firms

Tuesday, June 16, 2009

Re Sarkozy's latest revamp of HADOPI, I don't think I can face saying anything except, oh good grief Charlie Brown. Still I suppose judicial oversight IS actually what we want (if it's real and not just rubber stamp)t, so it's kind of good news :) (well we want so much more, like sense, but will we ever get it?)

Users will be able to opt in to paying a flat rate payment per month (added on to their monthly ISP bill) and then download any amount of music from Canadian-distributing record companies, perfectly legally. If you choose not to opt in, however, this is perfectly Ok but you have to sign a declaration saying you do not fileshare. Any subsequent discovery to the contrary is like to to be judged unkindly by the courts :) and it is likely that (rather as with those who don't pay a TV license fee in the UK) you would go on a "watch carefully" list (though this part was vague in detail yet).

Money collected by ISPs as part of monthly billing is simply handed over to existing collecting societies who distribute it as usual. ISPS are incentivised to take past becauze they save money by providing the digital music access via P2P, a la BBC's iPlayer - thus vastly reducing their bandwidth issues, and removing any need to monitor, filter or "traffic manage".

Simple, sensible, good human rights, good for artists, good for users, and a good combination of carrot and sticks. ISPs too can choose to opt in or out - how different from the acts of our own dear government, still determined to dragoon UK ISPs into propping up a failing business model, alienating their own client base and potentially breaching fundamental rights.

In the UK the nearest we yet have to this scheme among the big ISPs (leaving aside small innovative players like PlayLouder here) has emerged from Virgin's announcement that (from the Beeb) :"

For a monthly fee, Virgin's broadband customers will be able to download or stream as many MP3 files as they want.As part of the deal, Virgin has pledged to aggressively police usage to stop the MP3 tracks turning up on file-sharing networks."

The problem is that Virgin's all you can eat deal only covers Universal artists. Virgin say it is in talks to add other music firms' back catalogues to the service. But are there any prospects of all the major labels coming in, as in the Canadian scheme, to make legal P2P as attractive as the illegal version? Pigs might fly, seems the general gist of the informed response.

"...thirdly we aim to provide for a graduated response by rights-holders and ISPsso that they can use the civil law to the full to deter the hard core of users whowilfully continue unlawful activity. The Government intends to provideinitially for Ofcom to have a duty to secure a significant reduction inunlawful file sharing by imposing two specific obligations: notification ofunlawful activity and, for repeat-infringers, a court-based process ofidentity release and civil action.

The Government is also providing forintermediate technical measures by ISPs, such as bandwidth reduction orprotocol blocking, if the two main obligations have been reasonably triedbut, against expectations, shown not to have worked within a reasonablebut also reasonably brisk period."

Same old, same old. So we can, it seems, organise a levy to pay for rural broadband - which every person in the country will have to pay, whether they use it or not and are urban or rural - but are unwilling to contemplate a system like the Canadian voluntary levy, where those who don't want to fileshare simply get to opt out, and those who do, get to pay a sensible amount instead of being slowed down till they can no longer use the Net for useful stuff like jobs, education and social interaction. Sigh. Double sigh. No more: I've said it all before.

One faint piece of good news is that as the Guardian notes:

"The final report does not contain any suggestion of a statutory "rights agency" that would try to reduce copyright infringement online, as was suggested in the interim report released earlier this year – to widespread criticism. Instead, the final report says "we hope that an industry body ... will come into being to draft these codes [of practice for identifying offenders] for Ofcom to approve and we would encourage all rights holders and ISPs to play a role in this."

So we don't have to pay the levy to pay for the SRA anyway. Not yet anyway. Small comfort :-) Note the codes are still to be drafted by the industry and approved by Ofcom , with a thumbs up from ISPs and rightsholders. Where is the consumer voice in all this??? In the words of Chirpy Chirpy Cheep Cheep, apparently far, far away...

Interesting times (as ever) in the social networking sites/personal branding crossover world. One of the most interesting papers from Digital Convergence HK was by Lisa P. Ramsey, University of San Diego School of Law on "brandjacking", on social networks - the increasing practice of grabbing famous personal or corporate names on social networks, even if they're not you (or not exclusively you).

Twitter has had quite a history of this, as the current locus of choice for celebrity blogging - but it is also, less obviously, becoming of enormous commercial significance - just a few days ago Dell proudly announced it had sold c $3m worth of computers through its Twitter shop (though as one commenter wisely says, are these new sales or just diverted from other salespoints??)

To respond to this, Twitter has just announced a verified account process - at first rolled out only for personal, not commercial, usernames and aimed at famous names (eg the likes of Neil Gaiman and Stephen Fry, who have been plagued by imitators/admirers). The new service at the moment merely invites those afflicted to submit their details but not does not give any details of what evidence will be used to ascertain who is who , nor how to distinguish between two worthy competitors for the same name - eg my brother is called Jonathan Edwards and is a consultant IT and office automation lawyer, but there is also Jonathan Edwards the former medal winning triple jumper! Who should get the Twitter space? Neither is exactly Janet Jackson... and arguably though the sport one may be more famous, my brother can make better commercial use of this particular space?? Interestingly anyone can apply to be verified - so Pangloss has, sub nom Lilian Edwards! Let's see if they reply :-)

Lisa suggested that as with domain names, the law of trade marks should be relevant to protect brands, and needs re examining to see if it could meet this kind of challenge. She then canvassed the kinds of problems that may result, familiar to those who've followed the ICANN wars. What about businesses whose name is a generic, like Apple Computers ? Should they get preferential treatment on Twitter or FB when they wouldn't in TM law?

So should the Cox- lover be deposed by FB, or if they don't play ball, even sued under TM law, or fined under the US Anti CyberSquatting law, or local equivalents? If so, why? And what about Fiona Apple the singer, who sells most her records over the Internet these days, and also has an FB "be a fan" page??

Social networks were originally set up to allow people to be, well, social, not to sell things - and to be fans of things like pop groups, books, movies, comics and er fruit : all extensions of their personality. Yet as the Grauniad wisely suggest, it is likely the SNSs will bend over backwards to make provision to allow remedies against "facesquatting" etc because the businesses and the celebrities are the place where they will, if ever, find a revenue stream more reliable than mere ads. As the Grauniad adds : "

"In truth, though, I think the odd timing shows us something else: that the real target of Facebook usernames aren't users at all, but the companies, brands and high-profile celebrities who can be convinced to pay for services somewhere down the line.

Pangloss is deeply unsure if some new version of TMs and domain name law should be adapted or invented for the social namespace. For one, there is simply not, or at least not always, the same problem as there is with domain names used as URLs: that there can be only one. There is already more than one Lilian Edwards on Facebook (and I am lucky to have an unusual first name) but there can only be one lilian.facebook.com (and it is not me) or even liianedwards.co.uk.

Is it really helping any to give me yet more opportunities to fight it out with the other Liians ) at least one of whom has her own business, selling elephant drawings!!) ? Isn't the real solution here better granular search facilities on FB and other sites, not giving out and policing unique vanity URLs? There is already substantial evidence the public now overwhelmingly finds sites via Google not via typing in random URLs anyway.

But - as Lisa pointed out - is the issue not actually more of public confusion, than of brand maintenance? If I find a site called Dell on Twitter, will I assume it is the real Dell selling me reputable computers, not some rip-off merchant? Perhaps, but here as noted Twitter is already bringing in its own solutions (and asking businesses to pay for a verified site at some future point doesn't seem too wrong to me either, if it leads to $3m extra sales.).

In the Twitter celebrityspace there is also a rather cute emergent norm, that when a name has been snaffled, the celebrity renames as " -himself" - so eg Neil Gaiman is @neilhimself.

As well as these "norm" solutions, if the problem is public confusion, can't that be better met by enforcing existing public laws on false advertising, fraudulent commercial practices, etc, than by inviting vast swathes of private trade mark litigation, which might in turn need the reinvention of the ICANN UDRP procedure, international treaty negotiation, etc etc, all over again? This seems to me like a place where we should not in knee jerk fashion turn to an IP solution. We don't need more property for companies to fight over here, and given the costs of policing the brand, they possibly don't want it either; all we need are workable solutions for consumers.

Lisa pointed out correctly that most false advertising rules only apply to commercial actors - but this doesn't have to be so. In fact in the UK, it is an offense in advertising law to deceptively hold yourself out as a private person when you are in fact a business ( for more on this and the problem of the emergent hybrid consumer or "prosumer" see Christine Riefa's chapter on e-contracts in the upcoming - guess what - 3rd edn of Edwards and Waelde eds Law and the Internet.)

Let's stop and think a bit before we jump again to create yet more new IP rights, ok?

Pangloss is now at a hotel with a pool and a beach :-)) so she's going to try to take a break from all this intellectual fever!! Bye for now :)

I've been noticing retweets from Iran on my own Twitterlist. They do seem to be reaching an unusually diverse selection of people.

"Wagner James Au says,

Iranians around the world are making extraordinary use of Twitter and Twitter APIs to send updates and coordinate the uprising that now disputes Ahmadinejad's election. (Some background from Andrew Sullivan here) Last night Tweets from Iran seemed to go silent for several hours, apparently after Iranian government intervention, but protesters just used TwitterFall.com and other workarounds to keep the information stream going. (As one developer supporter put it, "Open APIs equal freedom.") The mainstream media has been tragically slow to cover what seems to be a major social upheaval fueled by Twitter. "

SoGikII was bijoux but very interesting. Graham Greenleaf and Ian Brown swapped multi Continental ideas, helped by the audience, on how to reform personal data protection laws, calling on current moves to reform of the EU DPD, the evolving APEC privacy principles, Graham's work on comparative Asian privacy law and the far famed (everyone in Oz spoke about it in hushed tones) 2000 pages AU$2 m ALRC report on privacy.

The general emerging ideas seem to be:

one size does NOT fit all : more prior privacy impact assessment and privacy engineered in ("privacy by design") needed for large data bases and other such projects, especially in public sector;

in the EU the effect of Lindqvist needs rolled back for small data processors such as the millions of user generated content providers. A stronger domestic purposes exemption might meet these needs, linked to stronger obligations on platforms to take down on complaint (though Pangloss wonders about the free speech impact of this?) and industry codes on privacy protective default settings on social networks.

for all data processors, more emphasis on data minimisation - collecting less data ab initio, by code means and by reliance on principles such as the Australian rule that systems must be designed to allow an anonymity option if practical (eg London't Oyster system is designed for identifying users; Singapore's Octopus is not). This is all the more important as security of large multiple access dbs is increasingly unreliable.

more concern for the merging human rights protection for privacy not just under DPD rules - eg the recent UK ECHR defeat in the DNA database case.

replace boilerplate registration of purposes with online subject access rights and tracking of use of data (PG sez: could semantic web data help here??)

penalties for abusive use of "DP" by companies to restrict access to info by consumers

security breach notification was controversial with some complaining in US it had done little or nothing to stop malware breaches.

Very much stuff to think about there. Other great papers involved Will Uther, Senior Lecturer (School of Computer Science and Engineering, UNSW) on Patent Law in the Federation: Replicators and Piracy which relied on 23rd century Star Trek Federation law to assess how future technology might disturb patent law :)); and Andrea Matwyshwn (Wharton, Penn) on Bourdieu, privacy and social capital. (Book of the week, btw, has definitely been Lanham's Economics of Attention.)

Pangloss herself argued gloomily (in both HK and Oz) that rights to control and bequeath digital assets after death (such as eBay reputations and Facebook profiles as well as the much discussed virtual world/MMORPG assets) would become increasingly important as digital natives age and die, and life logging expands. the key problems are the intermediation of the assets, leading to a loss of control by both creator and heirs, and the lack of any locus to consider societal interests in access to and preservation of digital cultural/literary heritage. This builds on my previous work suggesting that regulation of virtual assets generally is incoherent and ad hoc, as well as my FB /SNSsand property in VWs work. I'll get the new ppt up shortly!

Pangloss is having a bonza time at Peter Yu's East:West extravaganza (average session : 6 speakers, 15 mins each!) in HK. This is the most tightly and geekily organised conference I have ever seen. When you have two mins to go, the computer (not the chair!) warns you loudly, in Stephen Hawkings voice. When your time is up, if you don't wander off meekly, it makes a series of noises: STOP!, explosions, angry baby crying(VERY LOUD!!) and so forth - varied to prevent desensitisation. I suggest this programme be open source coded and exported to all future cons :-)

Hong Kong is currently obsessed with two things: swine flu and Green Dam Escort. No, not an aspect of Internet pornography:) HK being terrified of repeat SARS, all of us got temperature taken before allowed in to conference hall. All schools have been closed, and about 90% of locals are wearing masks. Very surreal seeing tech support, photographers and caterers all wearing masks while running around helpfully: feeling of constant risk of being dragged off to be subjected to the alien probe.

Best paper so far: Rebecca Mackinnon of Human Rights Watch, HKU, etc, on angry responses to the Green Dam Escort software embedding censorcode project . In essence from next month all PCs to be sold into mainland China are to have filtering software known as Green Dam installed on them to provide prior exlcusion of unwanted content (wherever the country of origin was). Naturally in the usual way of such censorware, newspapers have already proven that the software allows in nude body art girls but excludes Garfield; also in a lovely confluence of obsesssions, the South China Post observes nude pink pig images are also excluded..

Anselm Kamperman Sanders later added the interesting gloss to this that Green Dam can actually be seen as a a kind of media control by standards - and thus might be open to international pressure in future by WIPO who are looking at extending control over standards as part of IP harmonisation (or WTO?) Interesting in the context of the current Chinese drive to create its own national standards eg their own version of Office formats and HDTV standards. In some ways Green Dam is the tip of an iceberg of prospective trade war.

Another fascinating paper was Anne Bartow on what I've labeled "fair trade porn": why not deny IP protection to commercial pornography (which has such in US law at least) unless it meets health and safety standards, like ensuring the sex workers involved consent, are over age, etc? Pangloss thinks there's an interesting analogy here with fair trade coffee or organic veg, where some people are prepared to pay higher prices to know more about the provenance and social goals of the product. Now porn is so widely and openly used, would there be a market for this? is porn not something you WANT to be "dirty"? And is there any spare money for fair trade porn, like organic veg, in a recession!

Ever since the French law was first proposed in November 2007, six months after Nicolas Sarkozy took presidential power in France, governments around the world have been building a house of cards surrounding the concept.

Everybody's considered the same law: Britain, New Zealand, Ireland and even America are among the countries that have proposed their own version of three strikes - the idea that anyone thought to have illegally shared files online will get two warnings, before having their broadband connection cut off on the third accusation.

But here's the problem: each proposal has a disturbing tendency to point back to the others in an attempt to shore up its case. I've had conversations with various officials, and read documents from most of the major initiatives, that reference the French law as a precedent, or point out that the British are considering a similar rule."

Legally, if the French courts have truely held that Internet access is a human right, this may be enormously significant, both to EU law as well as to domestic French law and to other areas than sanctions against filesharing. I looks forward to (hopefully?) seeing an English translation of the opinion soon.

Tuesday, June 02, 2009

.. since everyone else is having fun, why not us? Pangloss late to the keyboard as in Adelaide (AUSTRALIA!!) but this is still worth blogging and a story of far more lasting import than duck islands and moat cleaning. Via ARCH, the organisation that works for child privacy:

The information tsar was planning to order the publication of the full details of MPs' expenses three years ago, but watered down his final judgement after pressure from the House of Commons, The Sunday Telegraph can reveal.

Leaked emails show that Richard Thomas, the Information Commissioner, had prepared a draft decision in 2006 which would have ruled that the Commons was not acting properly under the Freedom of Information (FOI) Act and should release expenses details, including receipts.

However, after a series of communications between his office and Commons authorities he backed down.

The Sunday Telegraph has learned that Jack Straw, who was then the Commons Leader, held a meeting with Mr Thomas and his deputy, Graham Smith, between the commissioner's preliminary and final rulings.

A spokesman for Mr Straw, however, denied last night that the talks – at which senior MPs from other parties were also present – played a "fundamental" role in the commissioner's U-turn."

Ruichard Thomas has of course already left the ICO (and not for any reason connected to the current scandals). But it would be nice to think that this storyemerging in the current climate of public fury - and only published a few days before Jacqui Smith, initiator of how many anti privacy moves? left office, albeit for her embarrassing expenses tricks not her parts in creating a surveillance state - will give his successor the courage to follow his own convictions in future. The job of Information Commissioner is after all to protect privacy of the people and openness in government, not the government of the day.